Snort mailing list archives

snort + IPFilter?

From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
Date: Fri, 31 Jan 2003 08:30:55 -0800

Pardon the cross posting; some of this may be more appropriate on
freebsd-questions, but I am having serious problems posting questions to
that list.

I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a
freebsd box.  I have IPFilter running on the same machine with the kernel
options and ruleset shown below.  It's not a firewall, just a host on the
network.

On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even
when I nmap the machine.  I made an assumption, which I am now starting to
doubt, that while adopting a default-block stance and only allowing specific
connections via the ethernet interface, snort would still log (all) alerts.
It has been brought to my attention I may be on a switch rather than a hub,
but I should still see nmap alerts when I am directing the scan on myself,
shouldn't I?

Any help would be appreciated....

Benjamin Everist

Other/ more information:
This is what I start snort with:
#snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf

My snort.conf is essentially default except I have defined var HOME_NET and
defined my output options.

Firewall options - IPFilter
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK

IPFilter ruleset:
#block all garbage we never want to accept:
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short

#lo0
pass in quick on lo0 all
pass out quick on lo0 all

#outbound xl0
pass out on xl0 all keep state head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to 172.16.100.9/32 group 100

#inbound xl0
block in on xl0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 172.16.100.9/32 to any group 200
pass in quick proto tcp from any to any port = www keep state group 200
pass in quick proto tcp from any to any port = 22 keep state group 200
block return-rst in log proto tcp from any to any flags S/SA group 200
block return-icmp(net-unr) in proto udp all group 200

Current thread:

snort + IPFilter? Everist, Benjamin S. (NASWI) (Jan 31)
- <Possible follow-ups>
- RE: snort + IPFilter? Gonzalez, Albert (Jan 31)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)
  - RE: snort + IPFilter? Demetri Mouratis (Feb 04)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)